WSGISocketPrefix /var/run/wsgi
WSGIPythonOptimize 1
WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10

<VirtualHost *:80>
  ServerName {{ hostname }}
  Redirect permanent / https://{{ hostname }}/
</VirtualHost>


<VirtualHost *:443>
    ServerName {{ hostname }}

    CustomLog /var/log/httpd/pdc-access.log combined
    ErrorLog /var/log/httpd/pdc-error.log

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    Alias /docs/ /usr/share/doc/pdc/docs/build/html/
    Alias /saml2protected /usr/share/ipsilon/ui/saml2sp

    # Using SetEnv here will not work as expected as it does not change
    # os.environ in the application itself. For more details see:
    # http://stackoverflow.com/a/9017610/1576064
    #
    # To override settings provide wsgi.py file with your preferred settings
    # and point the following directive to it.
    WSGIScriptAlias /  /usr/lib/python2.7/site-packages/pdc/wsgi.py


    RewriteEngine on
    # First try to find the files in pdc
    RewriteCond "/usr/lib/python2.7/site-packages/pdc/static/$1" -f
    RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pdc/static/$1" [L]
    # Try to find them in the patternfly files
    RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]


    <Location "/">
        SetHandler wsgi-script

        LimitRequestBody 31457280
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
        Require all granted
        MellonEnable "info"
        MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.key"
        MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.pem"
        MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
        MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
        MellonEndpointPath /saml2
        MellonVariable "saml-sesion-cookie"
        # Comment out the next two lines if you want to allow logins on bare HTTP
        MellonsecureCookie On
        SSLRequireSSL
        MellonUser "NAME_ID"
        MellonIdP "IDP"
        MellonSessionLength 3600
        # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
        # MellonPostDirectory "/var/lib/ipsilon/post_cache"
        # MellonPostReplay On
    </Location>

    <Location /auth/saml2login>
        WSGIProcessGroup pdc
        MellonEnable "auth"
        Header append Cache-Control "no-cache"

        ## Kerberos authentication:
        #AuthType Kerberos
        #AuthName "PDC - Kerberos login"
        #KrbMethodNegotiate on
        #KrbMethodK5Passwd on
        #KrbAuthoritative on
        #KrbServiceName HTTP
        #KrbAuthRealm EXAMPLE.COM
        #KrbVerifyKDC on
        #Krb5Keytab /etc/httpd/conf/httpd.keytab
        #KrbSaveCredentials off
        #Require valid-user
    </Location>


    WSGIPassAuthorization On
    <Location /rest_api/v1/auth/token>
        WSGIProcessGroup pdc

        ## Kerberos authentication:
        #AuthType Kerberos
        #AuthName "PDC - Kerberos login"
        #KrbMethodNegotiate on
        #KrbMethodK5Passwd off
        #KrbAuthoritative on
        #KrbServiceName HTTP
        #KrbAuthRealm EXAMPLE.COM
        #KrbVerifyKDC on
        #Krb5Keytab /etc/httpd/conf/httpd.keytab
        #KrbSaveCredentials off
        #Require valid-user
    </Location>

    <Location "/static">
        SetHandler None

        # Disable auth on the static content, so that we're aren't forced to
        # use Kerberos.  Doing so would remove "Expires" headers from the static
        # content, which would lead to poor page-load times.
        AuthType none
        Satisfy Any
        Require all granted

        # Many file types are likely to benefit from compression
        # Enable gzip compression on them:
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css

        # Set far-future Expires headers on static content
        # (trac 184):
        ExpiresActive On
        ExpiresDefault "access plus 10 years"
    </Location>

    <Location "/docs">
        SetHandler None

        # Disable auth on the static content, so that we're aren't forced to
        # use Kerberos.  Doing so would remove "Expires" headers from the static
        # content, which would lead to poor page-load times.
        AuthType none
        Satisfy Any
        Require all granted

        # Many file types are likely to benefit from compression
        # Enable gzip compression on them:
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css

        # Set far-future Expires headers on static content
        # (trac 184):
        ExpiresActive On
        ExpiresDefault "access plus 2 weeks"
    </Location>

</VirtualHost>
